Secure User Authentication

ABSTRACT

Biometric information is authenticated by a web-enabled application that identifies a biometric sensor installed in a client device. The authentication procedure reads biometric information associated with a user and compares the biometric information with a biometric template associated with that user. If the biometric information matches the biometric template, the authentication procedure retrieves credentials associated with the user and communicates those credentials to a requesting process.

RELATED APPLICATIONS

This application claims the benefit of U.S. Provisional Application No.61/249,218, filed Oct. 6, 2009, the disclosure of which is incorporatedby reference herein. This application also claims the benefit of U.S.Provisional Application No. 61/292,820, filed Jan. 6, 2010, thedisclosure of which is incorporated by reference herein.

BACKGROUND

Typical user authentication systems and procedures use passwords toauthenticate the identity of the user. In many instances, Web sites areauthenticated using SSL (Secure Sockets Layer) or other protocols. SSLis a protocol for securely transmitting information via the Internet.When using SSL, a Web site is authenticated via its certificate. Theuser seeking access to the Web site is then authenticated by usernameand password.

Although passwords are commonly used to authenticate users, passwordsare subject to various attacks, such as phishing attacks, socialengineering attacks, dictionary attacks and the like. Typically, longerpasswords with combinations of letters and numbers provide a higherlevel of security. However, these longer passwords are more difficultfor users to remember. Additionally, passwords provide a single factorof authentication by requiring the user to provide something they know.This factor does not provide any physical authentication of the user'sidentity. Thus, any person can access the user's Web-based accounts andinformation if they gain knowledge of the user's password and username.

Another potential threat associated with user passwords is commonlyreferred to as “Man in the Browser” attack. This type of attack uses amalicious software application (commonly known as “malware”) running inthe internet browser application while the user is, for example, logginginto a web site, accessing confidential information, or performing afinancial transaction. One implementation of this attack obtains accessto the user's password as the user provides the password to the internetbrowser application. Once the user's password is obtained, the malwareapplication can perform a variety of malicious actions associated withthe user's account.

Therefore, it is desirable to provide a user authentication method andsystem that provides a more secure authentication of the user thancommonly used password-based methods and systems.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 depicts an example system capable of performing biometric userenrollment and authentication.

FIG. 2 depicts another example system capable of performing biometricuser enrollment and authentication.

FIG. 3 depicts an example user enrollment process.

FIG. 4 depicts an example user authentication process.

FIG. 5 depicts an example user login interface.

FIG. 6 depicts another example system capable of performing biometricuser enrollment and authentication.

FIG. 7 is a flow diagram depicting an embodiment of a procedure forenrolling a user of a biometric authentication system.

FIG. 8 is a flow diagram depicting an embodiment of a procedure forauthenticating a user of a biometric authentication system.

FIG. 9 is a flow diagram depicting another embodiment of a procedure forauthenticating a user of a biometric authentication system.

FIG. 10 is a flow diagram depicting an embodiment of a procedure forauthenticating a user of a Web browser application that supportsbiometric authentication.

FIG. 11 depicts another embodiment of a procedure for enrolling a userof a biometric authentication system.

FIG. 12 depicts another embodiment of a procedure for identifying andauthenticating a user of a biometric authentication system.

Throughout the description, similar reference numbers may be used toidentify similar elements.

DETAILED DESCRIPTION

The systems and methods described herein relate to biometricauthentication of users. “Biometrics” and “biometric information” refersto measurable biological characteristics of a user, such as afingerprint, facial characteristics, eye characteristics, voicecharacteristics (also referred to as a “voiceprint”) and the like. Asdiscussed herein, biometric information provides an additional level ofsecurity when used in systems and procedures related to authenticationof a user.

Particular examples discussed herein use fingerprint biometricinformation to authenticate one or more users. In other embodiments, anytype of biometric information may be used instead of fingerprintinformation. Additionally, a particular embodiment may utilize multipletypes of biometric information (e.g., fingerprints and voiceprints) toauthenticate a user. Certain described embodiments refer to “swipe”style fingerprint sensors. However, alternate embodiments may includeany type of fingerprint sensor, such as a “placement” sensor. Inparticular embodiments, the biometric sensor is physically attached (ormanufactured into) a client device, such as a computer, cellular phone,and so forth. In other embodiments, the biometric sensor is a portabledevice that is temporarily coupled to the client device (e.g., apluggable USB device) for enrollment and/or authentication procedures.

As used herein, a “web application”, a “web-based application”, and a“web-enabled application” refers to a software application or softwareroutine that is capable of communicating with one or more web servers orsimilar devices via the Internet or other data communication network.Additionally, a “plug-in” or a “browser plug-in” refers to anapplication or extension that provides a variety of different featuresand functions. Particular examples of “plug-ins” and “browser plug-ins”discussed herein provide features and functions related to userauthentication while, for example, accessing web sites, making securetransactions, and the like. In particular embodiments, the browserplug-in is installed as part of the manufacturing process of devicesequipped with associated biometric devices. In specific implementations,the browser plug-in is operable with any biometric device that supportsthe Windows Biometric Framework or other supported architectures orsystems.

As discussed above, typical passwords do not provide any physicalauthentication of the user's identity. Thus, any person or machine canaccess a user's Web-based accounts and related information if they gainknowledge of the user's password and username. Using biometricinformation in the user authentication process provides an increasedlevel of security by authenticating physical characteristics of theuser. Thus, an imposter with the correct password but lacking therequired physical characteristics will not be authenticated by thesystem.

The systems and methods described herein perform biometric userauthentication in several steps. Initially, a user enrolls with thebiometric user authentication system by binding their user credentialswith the user's biometric template (a “fingerprint template” in specificimplementations). The biometric template contains information related tothe user's biometric characteristics (also referred to as “biometricinformation”) obtained from a biometric sensor that scans or reads theuser's biometric characteristics, such as a fingerprint. A useridentification process identifies a particular user among multipleenrolled users (e.g., multiple users enrolled with a particular device,system or biometric sensor). A user verification process verifies thatthe user who provides their biometric information is who they claim tobe by comparing the user's biometric information with the biometrictemplate obtained during enrollment of that user. The enrollment,identification and verification of users is discussed in greater detailherein.

During an example enrollment process that uses a fingerprint sensor asthe biometric sensor, a user swipes their finger across the fingerprintsensor several times to create a fingerprint template. The fingerprinttemplate contains qualitative fingerprint information that allows theuser's fingerprint to be distinguished from fingerprints associated withother users. In alternate embodiments, a placement fingerprint sensor(also referred to as a static fingerprint sensor) is used such that auser places their finger on the fingerprint sensor rather than “swiping”their finger across the fingerprint sensor. After creating a fingerprinttemplate, the user (or a web server or other system) provides usercredentials, such as a password, cryptographic key, random seed, and thelike. The systems and procedures described herein bind the user'sfingerprint template with the user credentials. The fingerprint templateand user credentials are then stored in a secure storage device. In oneembodiment the secure storage device is contained within the fingerprintsensor hardware. In other embodiments, the secure storage device iscontained in a device that utilizes the fingerprint sensor.

During an example user identification process (also referred to as auser verification process), a user swipes their finger across afingerprint sensor. The process then determines whether the user'sfingerprint information matches a fingerprint template associated withthe fingerprint sensor. If the user's fingerprint information matches afingerprint template, the user's credentials are released to the userand/or a service or process requesting the user verification. Thus, theuser credentials are not released from the secure storage device until amatching fingerprint template is confirmed. In particular embodiments,the user credentials released as a result of a match with a fingerprinttemplate are not necessarily the same credentials provided by the userduring the enrollment process. For example, the user credentialsreleased after finding a matching fingerprint template may include anOTP (One Time Password) token, RSA signature and the like. Theenrollment process can be initiated by a Web server, a Web browserplug-in, and the like.

The described systems and methods communicate user credentials to aspecific address, location, or other recipient identifier. Thus, even ifan imposter can gain access to the user credentials, the system willsend those user credentials to a predetermined address or location,thereby preventing the imposter from attempting to have the usercredentials sent to an alternate address or location. The address orlocation information is stored within the user credentials and isestablished as part of the enrollment process.

Particular embodiments of the systems and methods discussed herein usestrong cryptographic algorithms implemented in hardware and/or software.Example cryptographic algorithms include AES (Advanced EncryptionStandard) 256, SHA (Secure Hash Algorithm) 256 and RSA 2048. Examplebiometric sensors are compatible with various standards, such asOATH-OCRA (OATH Challenge/Response Algorithms), TOPT (Time-basedOne-time Password Algorithm), HOPT (HMAC-Based OTP Algorithm) and PKCS(Public Key Cryptography Standards) #11, RSA SecureID based OTP, and thelike.

In a particular implementation, each biometric sensor has a uniqueidentifier (ID) that is used to strengthen the level of securityprovided by the system or process. This unique ID provides an additionalauthentication factor representing “something you have”. Since eachbiometric sensor has a unique ID, each user's biometric template anduser credentials can be uniquely associated with a specific biometricsensor.

Specific implementations include a biometric sensor as part of amulti-component or multi-element authentication system. Particularembodiments may include one or more authentication factors, such as: 1.something you are; 2. something you have; and 3. something you know.

The systems and methods described herein are useful in performing Website authentication. In example embodiments, a Web site that supportsthe authentication procedures discussed herein includes an HTML (HyperText Markup Language) tag that identifies a Web browser plug-in (alsoreferred to as a “biometric plug-in”) that is installed on the user'scomputing device. This HTML tag indicates to the browser that the Website supports biometric authentication. Other example embodimentsinclude an extension of an existing Web browser plug-in. Furtherimplementations may utilize a browser helper object, ActiveX control,Browser Extension, or other approaches. In particular implementations,the Web browser plug-in obtains the biometric sensor's unique ID andcommunicates that unique ID (or a hash of the unique ID) to a web servervia HTTP or HTTPS.

When a user accesses the Web site, the Web browser plug-in is activatedand detects that a biometric sensor is installed in the user's computingdevice. The Web site suggests that the user enroll with their biometricsensor to provide a more secure user authentication. If the useraccepts, the Web browser plug-in activates the enrollment process toenroll the user. This enrollment process includes binding the Web siteto the specific user. The Web site then generates a secret key andpasses the secret key to the user's computing device via a secureconnection between the Web site and the user's computing device. In aparticular implementation, the “enrollment” process includes enrollingthe user's fingerprint and generating a secret key.

If the user also wants to bind their computing device with Web siteauthentication, the Web browser plug-in sends the biometric sensor's IDto the Web site server or other device/system. Multiple embodimentsstore information in various formats and on various devices orcomponents within a system. Example embodiments may utilize a hash ofthe shared secret, a hash of the biometric sensor ID, and the like. Atthis point, the user can select different factors for authentication. Ina particular embodiment, the Web site may require strongerauthentication when an important operation is being performed on the Website, such as accessing a bank account or other sensitive data.

After a user has enrolled with a particular Web site that supportsbiometric authentication, subsequent visits to the same Web site causethe Web browser plug-in to detect that the user has already enrolledwith the Web site. In this situation, the Web site prompts the user toperform user authentication (e.g., using the biometric device). In thecase of a fingerprint sensor, the user swipes their finger across thefingerprint sensor or places their finger on the fingerprint sensor. Ifthe fingerprint information matches a fingerprint template associatedwith the fingerprint sensor, the Web browser plug-in releases usersecrets from the user credentials. In particular embodiments, thefingerprint sensor releases an OTP token or an RSA signature instead ofplaintext credentials. After the credentials are released, they arecommunicated to the Web site to complete the user authenticationprocess. In specific implementations, the server may generate a randomchallenge and communicate that challenge to the client device. The Webbrowser plug-in (or the biometric sensor) uses this challenge toconstruct a response based on the secure key and the random challenge.The response may be a hash of the secure key, a hash of the randomchallenge, or any other calculation. The server validates the usercredentials and authenticates the user if the validation is successful.

In particular implementations, the user performs the enrollment processfor each Web site the user accesses that supports biometricauthentication. Additionally, different user credentials are associatedwith each Web site with which the user enrolls. Thus, if the userenrolls with five different Web sites that support biometricauthentication, the biometric sensor in the user's computing devicestores five separate sets of user credentials, each of which isassociated with one of the five different Web sites. Additionally, ifdifferent users access the same Web site, separate user credentials andseparate biometric templates are maintained for each user.

Particular embodiments of the Web browser plug-in support WBF (WindowsBiometric Framework), thereby supporting any biometric device thatsupports the WBF interface. The Web browser plug-in also supports theApplication Programming Interface specified by the BioAPI Consortium.

In alternate embodiments, the systems and methods determine that a Website supports biometric authentication by providing a service or processthat monitors Web site data and detects certain types of transactions onsecure web sites. When a secure transaction is initiated, the systemsand methods check the computing device accessing the Web site todetermine if the computing device includes a fingerprint sensor or otherbiometric device. If so, an enrollment and/or authentication process isactivated to offer an enhanced level of security to the user, asdescribed herein.

FIG. 1 shows an example system 100 capable of performing biometric userenrollment and authentication via a biometric sensor 104 (such as afingerprint sensor or other biometric device). In this example, abiometric service 110 executes on a host PC 102 and communicates withone or more applications 112 that may request user authentication.Example applications include Internet browser applications, financialapplications, and the like. In a particular embodiment, the validitybiometric service uses a Windows API (e.g., a WinUSB Driver) 108 toencrypt a fingerprint template database with system account credentials.In alternate embodiments, any type of API or similar interface may beused in place of Windows API 108. Biometric sensor 104 has a unique 128bit encryption key and a unique identifier (e.g., serial number). Theenrolled credentials of a user are encrypted with the encryption key andstored in a storage device, such as secure storage 106. In a particularembodiment, biometric service 110 is implemented as a serviceapplication running in a local system account.

In a particular embodiment, application 112 is an Internet browserapplication executing on host PC 102 and communicating with various webservers via the Internet. Application 112 includes a browser extensionor browser plug-in that communicates with biometric service 110. In oneimplementation, biometric service 110 is a secure application executingin a background mode on host PC 102. Thus, biometric service 110provides a communication interface to biometric sensor 104. The browserextension (or browser plug-in) associated with application 112 iscapable of communicating transaction details, random challenges,signature information, user information, and other data to biometricservice 110. Biometric service 110 also communicates with one or moreweb servers as part of the user enrollment and/or user authenticationprocedure.

FIG. 2 shows another example system 200 capable of performing biometricuser enrollment and authentication via a biometric sensor 204. System200 includes a host PC 202, a WinUSB driver 210, a biometric service 212and an application 214 similar to the components discussed above withrespect to FIG. 1. In the example of FIG. 2, the biometric sensordecrypts the user credentials only after a successful biometric reading,such as a fingerprint swipe or fingerprint scan (using a placement stylefingerprint sensor). For example, in a successful fingerprint swipe, theswiped fingerprint information matches a fingerprint template associatedwith the fingerprint sensor. In a particular embodiment, the validityenterprise sensor has a unique 256 bit encryption key 208 and a uniqueidentifier (e.g., serial number). The biometric sensor 204 creates asecure communication with Host PC 202 using SSL v3 protocol or othersecure communication technique. In a particular implementation,biometric sensor 204 includes a “match on chip” functionality thatreleases a user's credentials only upon a successful fingerprint swipeor other biometric reading. User credentials and other information maybe stored within biometric sensor 204, in a secure storage 206, or anyother storage mechanism. In certain embodiments, the validity biometricservice is implemented as a service application running in a localsystem account.

FIG. 3 shows an example user enrollment process in which the userenrolls using a fingerprint sensor to bind the user's fingerprinttemplate with the user's credentials. An application 304 that desires toenroll a user with a biometric device communicates with a biometricservice 302, which is coupled to a secure storage 306. Biometric service302 is also coupled to a biometric sensor (not shown), which capturesbiometric data and communicates that data to the biometric service.Application 304 initiates the user enrollment process by displaying arequest 308 for the user to provide their fingerprint (in the case of afingerprint sensor) and provide user credentials. Application 304communicates a user enrollment request to biometric service 302 as wellas information regarding a user identifier (user id), an applicationidentifier, and user credentials. The biometric service then capturesthe fingerprint data and stores the fingerprint data in secure storage306. Additional details regarding the user enrollment process areprovided herein.

FIG. 4 shows an example user authentication process using a fingerprintsensor. An application 404 that desires to authenticate a user with abiometric device communicates with a biometric service 402, which iscoupled to a secure storage 406. Biometric service 402 is also coupledto a biometric sensor (not shown), which captures biometric data andcommunicates that data to the biometric service. Application 404initiates the user authentication process by displaying a request 408for the user to provide their fingerprint (in the case of a fingerprintsensor). Application 404 communicates an authentication and/or identityrequest to biometric service 402. The biometric service then capturesthe fingerprint data and identifies user credentials for the userassociated with the fingerprint data. The user credentials are thencommunicated to application 404. Additional details regarding the userauthentication process are provided herein.

FIG. 5 shown an example user login interface 502 displayed during theuser authentication process. The example of FIG. 5 requests a user IDand a password, then asks the user to provide biometric information,such as swiping their finger across a fingerprint sensor. Alternateembodiments of user login interface 502 may request more or lessinformation from the user, such as requesting other credentials oridentifying information from the user.

FIG. 6 shows another example system 600 capable of performing biometricuser enrollment and authentication using any number of different typesor brands of fingerprint sensors. Depending on the fingerprint sensortype and/or manufacturer, the system of FIG. 6 uses 1) a WBF (WindowsBiometric Framework) interface, 2) a biometric service, or 3) any othersystem or service to communicate data between an Internet browserapplication and the fingerprint sensor.

System 600 includes a browser application 602 capable of communicatingwith a web server 604 and a biometric service 608. Browser application602 includes a biometric extension 618 that facilitates communicationand handling of biometric-related data. In alternate embodiments,biometric extension 618 is replaced with a browser application plug-in.Web server 604 is coupled to a secure database 606 that stores variousdata, such as data used during the biometric user enrollment andauthentication procedures, as discussed herein.

Biometric service 608 communicates with a Windows biometric framework610 and a fingerprint sensor 612. Windows biometric framework 610 alsocommunicates with a fingerprint sensor 616 that is not able tocommunicate directly with biometric service 608. Thus, Windows biometricframework 610 provides an interface between fingerprint sensor 616 andbiometric service 608. Fingerprint sensor 612 is capable ofcommunicating directly with biometric service 608 without needingWindows biometric framework 610. Fingerprint sensor 612 is coupled to asecure storage 614 that stores user credentials, an encryption key, andrelated data.

During operation of system 600, web server 604 sends a web page (e.g.,an HTML page) and a random challenge to browser application 602.Biometric extension 618 communicates the random challenge to biometricservice 608, which requests a response from fingerprint sensor 612 (orrequests a response from fingerprint sensor 616 via Windows biometricframework 610). Fingerprint sensor 612 sends a response to biometricservice 608 after a valid fingerprint swipe (or scan). Thus, if a userfails to swipe a finger or fingerprint sensor 612 reads invalidfingerprint information, no response is sent to biometric service 608.In alternate embodiments, fingerprint sensor 612 sends an “invalidfingerprint” message to biometric service 608 if the fingerprint sensorreads invalid fingerprint information. If biometric service 608 receivesa positive response from fingerprint sensor 612 (e.g., a validfingerprint swipe), the biometric service communicates a response to therandom challenge to web server 604 using a secure communication link.Additional details regarding biometric user enrollment andauthentication are provided below.

In a particular embodiment, a secret key (also referred to as a “securekey”) is generated by a web server and stored by the web server. Thesecret key is also provided to the biometric sensor and/or the systemcontaining the biometric sensor, and stored along with the biometrictemplate associated with the user. The secret key can be a cryptographickey (DES, AES, etc.), a random seed, a random number, an RSA privatekey, and so forth. In alternate embodiments, the secret key is generatedby a client device and communicated to the web server. The secure keymay be transferred using HTTP or HTTPS and can be transferred directlyto the browser application or directly to the browser applicationplug-in (or browser application extension). The biometric template istypically generated during enrollment of the user. Additionally, if thebiometric device has a unique ID, that unique ID is sent to the webserver for storage and use in future authentication procedures.

In particular embodiments, binary files used in the systems and methodsdiscussed herein are signed and authenticated prior to running thebinary files. This approach blocks malicious attempts to replace or editthe binary files. Additionally, applications communicating with thebiometric service are validated at runtime.

FIG. 7 is a flow diagram depicting an embodiment of a procedure 700 forenrolling a user of a biometric authentication system. Initially,procedure 700 detects a finger contacting a fingerprint sensor or otherbiometric sensor (block 702). Fingerprint information is read as theuser swipes their finger across the fingerprint sensor (block 704). Inalternate embodiments using a placement fingerprint sensor, thefingerprint information is scanned as the user positions their finger onthe sensor. The procedure continues by creating a fingerprint templateassociated with the fingerprint information (block 706).

Procedure 700 receives user credentials associated with the user (block708). Example user credentials include a password, a cryptographic key,a random seed or any other similar confidential information. Next, theprocedure binds the user credentials with the fingerprint template(block 710), then stores the user credentials and the fingerprinttemplate (block 712) in a secure storage device.

In a specific embodiment, the procedure also binds a particular web site(e.g., a web site requesting biometric enrollment and/or biometricauthentication of a user) with the fingerprint template. Thus, aparticular user may perform the biometric enrollment procedure for eachweb site that the user is to provide future biometric authorization orbiometric authentication.

FIG. 8 is a flow diagram depicting an embodiment of a procedure 800 forauthenticating a user of a biometric authentication system. Procedure800 is performed after a particular user has enrolled with the biometricauthentication system using, for example, the procedure discussed withrespect to FIG. 7. The authentication procedure reads fingerprintinformation from a user's finger in contact with a fingerprint sensor(block 802). Procedure 800 then identifies a fingerprint templateassociate with the user (block 804) who is accessing the fingerprintsensor. The fingerprint information read from the user's finger iscompared with the fingerprint template (block 806) to determine whetherthere is a match (block 808). If the fingerprint information read by thefingerprint sensor does not match the information stored in thefingerprint template, the biometric authentication system does notretrieve the user credentials (block 814). Thus, the user credentialsremain securely stored if a match is not detected.

If the fingerprint information read by the fingerprint sensor matchesthe information stored in the fingerprint template, the biometricauthentication system retrieves the credentials associated with the user(block 810). The user credentials are then communicated to a requestingprocess or system (block 812).

FIG. 9 is a flow diagram depicting another embodiment of a procedure 900for authenticating a user of a biometric authentication system.Initially, procedure 900 reads fingerprint information from a user'sfinger in contact with a fingerprint sensor (902). The procedure thenauthenticates the fingerprint information (block 904). If thefingerprint information is not authenticated, a message is generatedindicating an authentication failure (block 906). If the fingerprintinformation is authenticated, the procedure retrieves credentialsassociated with the user based on the fingerprint information (block908). The procedure then decrypts the user credentials (block 910) andidentifies a unique identifier associated with the fingerprint sensor(block 912). The decrypted credentials and the unique identifier arecommunicated to a requesting process or system (block 914).

FIG. 10 is a flow diagram depicting an embodiment of a procedure 1000for authenticating a user of a Web browser application that supportsbiometric authentication. Initially, a web browser application accessesa web site that supports biometric authentication (block 1002). Theprocedure then determines whether a biometric device is installed in thesystem executing the web browser application (block 1004). The biometricdevice may be physically installed in the system or coupled to thesystem, such as via a universal serial bus (USB) or other communicationlink. If a biometric device is not installed (block 1006), the webbrowser application operates without biometric authentication (block1014).

If a biometric device is installed in the system executing the webbrowser application, the web browser application offers enhancedsecurity to a user through the use of the biometric device (block 1008).If the user accepts the offer of enhanced security at block 1010, theuser enrolls using the biometric device (block 1012). The user enrolls,for example, using the enrollment procedure discussed herein. If theuser does not accept the offer of enhanced security at block 1010, theweb browser application operates without biometric authentication (block1014).

FIG. 11 depicts another embodiment of a procedure for enrolling a userof a biometric authentication system. FIG. 11 shows the various actionsand functions performed during the enrollment of a user and thecomponent or system that performs those actions or functions.

FIG. 12 depicts another embodiment of a procedure for identifying andauthenticating a user of a biometric authentication system. FIG. 12shows the various actions and functions performed during theidentification and authentication of a user and the component or systemthat performs those actions or functions.

The invention may also involve a number of functions to be performed bya computer processor, such as a microprocessor. The microprocessor maybe a specialized or dedicated microprocessor that is configured toperform particular tasks according to the invention, by executingmachine-readable software code that defines the particular tasksembodied by the invention. The microprocessor may also be configured tooperate and communicate with other devices such as direct memory accessmodules, memory storage devices, Internet related hardware, and otherdevices that relate to the transmission of data in accordance with theinvention. The software code may be configured using software formatssuch as Java, C++, XML (Extensible Mark-up Language) and other languagesthat may be used to define functions that relate to operations ofdevices required to carry out the functional operations related to theinvention. The code may be written in different forms and styles, manyof which are known to those skilled in the art. Different code formats,code configurations, styles and forms of software programs and othermeans of configuring code to define the operations of a microprocessorin accordance with the invention will not depart from the spirit andscope of the invention.

Within the different types of devices, such as laptop or desktopcomputers, hand held devices with processors or processing logic, andalso possibly computer servers or other devices that utilize theinvention, there exist different types of memory devices for storing andretrieving information while performing functions according to theinvention. Cache memory devices are often included in such computers foruse by the central processing unit as a convenient storage location forinformation that is frequently stored and retrieved. Similarly, apersistent memory is also frequently used with such computers formaintaining information that is frequently retrieved by the centralprocessing unit, but that is not often altered within the persistentmemory, unlike the cache memory. Main memory is also usually includedfor storing and retrieving larger amounts of information such as dataand software applications configured to perform functions according tothe invention when executed by the central processing unit. These memorydevices may be configured as random access memory (RAM), static randomaccess memory (SRAM), dynamic random access memory (DRAM), flash memory,and other memory storage devices that may be accessed by a centralprocessing unit to store and retrieve information. During data storageand retrieval operations, these memory devices are transformed to havedifferent states, such as different electrical charges, differentmagnetic polarity, and the like. Thus, systems and methods configuredaccording to the invention as described herein enable the physicaltransformation of these memory devices. Accordingly, the invention asdescribed herein is directed to novel and useful systems and methodsthat, in one or more embodiments, are able to transform the memorydevice into a different state. The invention is not limited to anyparticular type of memory device, or any commonly used protocol forstoring and retrieving information to and from these memory devices,respectively.

Embodiments of the system and method described herein facilitateenrollment and authentication of users through a biometric device, suchas a fingerprint sensor. Additionally, some embodiments are used inconjunction with one or more conventional fingerprint sensing systemsand methods. For example, one embodiment is used as an improvement ofexisting fingerprint detection and/or sensing systems.

Although the components and modules illustrated herein are shown anddescribed in a particular arrangement, the arrangement of components andmodules may be altered to enroll and authenticate users in a differentmanner. In other embodiments, one or more additional components ormodules may be added to the described systems, and one or morecomponents or modules may be removed from the described systems.Alternate embodiments may combine two or more of the describedcomponents or modules into a single component or module.

Although specific embodiments of the invention have been described andillustrated, the invention is not to be limited to the specific forms orarrangements of parts so described and illustrated. The scope of theinvention is to be defined by the claims appended hereto and theirequivalents.

1. A method of authenticating biometric information via the internet,the method comprising: identifying a biometric sensor installed in aclient device with a web-enabled application; reading biometricinformation associated with a user; comparing the biometric informationwith a biometric template associated with the user; if the biometricinformation matches the biometric template: retrieving credentialsassociated with the user based on the biometric information; andcommunicating the credentials to a requesting process.
 2. The method ofclaim 1, further comprising comparing the biometric information with aplurality of biometric templates associated with the biometric sensor.3. The method of claim 1, wherein the requesting process is configuredin a software application.
 4. The method of claim 1, wherein therequesting process is executing on a device containing a biometricsensor.
 5. The method of claim 1, wherein the requesting process isexecuting on a remote device.
 6. The method of claim 1, furthercomprising encrypting the credentials prior to communicating thecredentials to a requesting process.
 7. The method of claim 1, whereinthe retrieved credentials are plaintext credentials.
 8. The method ofclaim 1, wherein the retrieved credentials represent a one-time usepassword.
 9. The method of claim 1, wherein the retrieved credentialsare communicated to a web server in the form of a challenge-response.10. The method of claim 1, wherein the retrieved credentials include anRSA signature.
 11. The method of claim 1, wherein the web-enabledapplication is a web browser extension.
 12. The method of claim 1,wherein the web-enabled application is a web browser plug-in.
 13. Themethod of claim 1, wherein the method is initiated in response to theuser accessing a web site that supports biometric authentication. 14.The method of claim 13, further comprising determining whether the useris enrolled with the web site being accessed.
 15. The method of claim 1,further comprising creating a secure connection between the clientdevice and a web server.
 16. The method of claim 15, wherein theretrieved credentials include an authentication token, and furthercomprising communicating the authentication token and a user identifierfrom the client device to the web server via the secure connection. 17.The method of claim 16, wherein the authentication token is a sharedsecret.
 18. The method of claim 1, further comprising the biometricsensor releasing an authentication token if the biometric informationmatches the biometric template.
 19. The method of claim 18, wherein theauthentication token is a one time password.
 20. The method of claim 18,wherein the authentication token is an RSA signature.
 21. The method ofclaim 18, wherein the authentication token includes plaintext usercredentials.
 22. The method of claim 18, further comprisingcommunicating the authentication token to a web server.
 23. A methodcomprising: reading fingerprint information from a user's finger incontact with a fingerprint sensor; authenticating the fingerprintinformation; if the fingerprint information is associated with a validuser: retrieving credentials associated with the user; determining aunique identifier associated with the fingerprint sensor; andcommunicating the credentials and the unique identifier to a requestingprocess.
 24. The method of claim 23, wherein authenticating thefingerprint information includes comparing the fingerprint informationread from the user's finger with a fingerprint template.
 25. The methodof claim 23, wherein authenticating the fingerprint information includescomparing the fingerprint information read from the user's finger with aplurality of fingerprint templates associated with the fingerprintsensor.
 26. The method of claim 23, further comprising decrypting theretrieved credentials associated with the user.
 27. The method of claim23, wherein the retrieved credentials associated with the user areplaintext credentials.
 28. The method of claim 23, wherein the retrievedcredentials associated with the user include a one-time use passwordderived from the retrieved credentials.
 29. The method of claim 23,wherein the retrieved credentials associated with the user include anRSA signature.
 30. A method of accessing a web site that supportsbiometric authentication, the method comprising: determining whether abiometric sensor is installed in the device accessing the web site;determining whether a user has enrolled the biometric sensor with theweb site; if the device accessing the web site has an installedbiometric sensor and the user has enrolled the biometric sensor: readingbiometric information from the user via the biometric sensor; comparingthe biometric information read from the user with a biometric template;and retrieving credentials associated with the user if the biometricinformation read from the user matches the biometric template.
 31. Themethod of claim 30, wherein the biometric sensor is a fingerprintsensor.
 32. The method of claim 30, wherein the biometric informationincludes fingerprint characteristics associated with the user's finger.